CVE-2025-28857
Published: 11 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-28857 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Rankchecker.io Integration WordPress plugin (rankchecker-io-integration). This flaw allows for Stored Cross-Site Scripting (XSS) and affects all versions from n/a through 1.0.9. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, though it necessitates user interaction, such as a victim administrator clicking a crafted link. Exploitation enables CSRF to trigger Stored XSS, allowing attackers to inject malicious scripts that persist and execute in the context of the affected site, potentially leading to low-level impacts on confidentiality, integrity, and availability.
Patchstack has documented this CSRF to Stored XSS vulnerability specifically in Rankchecker.io Integration plugin version 1.0.9, providing details for WordPress security practitioners at https://patchstack.com/database/Wordpress/Plugin/rankchecker-io-integration/vulnerability/wordpress-rankchecker-io-integration-plugin-1-0-9-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remotely exploitable CSRF-to-stored-XSS flaw in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application (T1190) via a crafted link that triggers persistent script injection.